January 2018 Code Aurora Security Bulletin

Version 1.1

Published: 01/25/2018
Updated: 02/08/2018

This document describes security vulnerabilities that were addressed through software changes. Source code patches for these issues have been released to the Code Aurora Forum (CAF) and linked from this bulletin. These changes are applicable but not limited to Android for MSM (all Android releases from CAF using the Linux-kernel), Firefox OS for MSM & QRD Android projects. Customers were previously notified of the issues described in this bulletin. Each of the vulnerabilities has an associated security rating. A description of these ratings using v 1.2 of the ratings scheme can be found at the following link.

Please reach out to security-advisory@quicinc.com for any questions related to this bulletin.

Announcements

None.

Acknowledgements

We would like to thank these researchers for their contributions in reporting these issues to us.

CVE-2017-11003, CVE-2017-11066, CVE-2017-11069, CVE-2017-11079, CVE-2017-11080, CVE-2017-14869, CVE-2017-14870, CVE-2017-9712	derrek (https://twitter.com/derrekr6)
CVE-2017-9689	Tim Strazzere (@timstrazz)
CVE-2017-14873	Peter Pi of Tencent Security Platform Department
CVE-2017-9705	Jianqiang Zhao (jianqiangzhao)
CVE-2017-11081	Jianqiang Zhao(@jianqiangzhao) and pjf(weibo.com/jfpan) of IceSword Lab, Qihoo 360

Table of vulnerabilities

Public ID	Security Rating	Technology Area	Date Reported
CVE-2017-15849	High	Display	Internal
CVE-2017-11069	High	Trusted Execution Environment	5/27/2017
CVE-2017-11003	Medium	Boot	3/13/2017
CVE-2017-9712	Medium	WLAN HOST	3/24/2017
CVE-2017-9689	Medium	Display	3/28/2017
CVE-2017-14873	Medium	Display	4/30/2017
CVE-2017-9705	Medium	Qualcomm IPC	5/9/2017
CVE-2017-14869	Medium	Boot	5/27/2017
CVE-2017-14870	Medium	Boot	5/27/2017
CVE-2017-11066	High	Boot	4/27/2017
CVE-2017-15847	High	Trusted Execution Environment	Internal
CVE-2017-15845	Medium	WLAN HOST	2/28/2017
CVE-2017-15848	High	DSP Service	Internal
CVE-2017-11081	Medium	WLAN HOST	7/11/2017
CVE-2017-11080	Medium	Boot	7/16/2017
CVE-2017-11079	Medium	Boot	7/16/2017

CVE-2017-15849

CVE ID	CVE-2017-15849
Title	Use After Free in Display
Description	A LayerStack can be destroyed in between Validate and Commit by the application resulting in a Use After Free condition.
Technology Area	Display
Vulnerability Type	CWE-416 Use After Free
Access Vector	Local
Security Rating	High
Date Reported	Internal
Customer Notified Date	9/1/2017
Patch	https://source.codeaurora.org/quic/la/platform/hardware/qcom/display/commit/?id=0a59679b954c02b899613cc6a00d7e9fca455157From the CAF link above, only the changes to the following files are relevant: sdm/libs/hwc2/hwc_display.cpp sdm/libs/hwc2/hwc_display.h sdm/libs/hwc2/hwc_session.h

CVE-2017-11069

CVE ID	CVE-2017-11069
Title	Buffer Copy without Checking Size of Input in Core
Description	Manipulation of SafeSwitch Image data can result in Heap overflow.
Technology Area	Trusted Execution Environment
Vulnerability Type	CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’)
Access Vector	Local
Security Rating	High
Date Reported	5/27/2017
Customer Notified Date	9/1/2017
Patch	https://source.codeaurora.org/quic/la/kernel/lk/commit/?id=daf1fbae4be7bd669264a7907677250ff2a1f89b

CVE-2017-11003

CVE ID	CVE-2017-11003
Title	Improper Input Validation in Boot
Description	While updating a firmware image, data is read from flash into RAM without checking that the data fits into allotted RAM size.
Technology Area	Boot
Vulnerability Type	CWE-20 Improper Input Validation
Access Vector	Local
Security Rating	Medium
Date Reported	3/13/2017
Customer Notified Date	8/7/2017
Patch	https://source.codeaurora.org/quic/la/kernel/lk/commit/?id=6ca5369f343f942ad925dc01371d87d040235243

CVE-2017-9712

CVE ID	CVE-2017-9712
Title	Information Exposure in WLAN
Description	If userspace provides a too-large IE length in wlan_hdd_cfg80211_set_ie, a buffer over-read occurs.
Technology Area	WLAN HOST
Vulnerability Type	CWE-200 Information Exposure
Access Vector	Local
Security Rating	Medium
Date Reported	3/24/2017
Customer Notified Date	7/3/2017
Patch	https://www.codeaurora.org/gitweb/quic/la/?p=platform/vendor/qcom-opensource/wlan/qcacld-2.0.git;a=commit;h=b1d0e250717fc4d8b7c45cef036ea9d16293c616

CVE-2017-9689

CVE ID	CVE-2017-9689
Title	Buffer Copy without Checking Size of Input in Display
Description	A specially-crafted HDMI CEC message can be used to cause stack memory corruption.
Technology Area	Display
Vulnerability Type	CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’)
Access Vector	Local
Security Rating	Medium
Date Reported	3/28/2017
Customer Notified Date	7/3/2017
Patch	https://source.codeaurora.org/quic/la/platform/hardware/qcom/display/commit/?id=faa99f2ff3d5b1c3848a7a049b2cf5e548bfd268

CVE-2017-14873

CVE ID	CVE-2017-14873
Title	Improper Input Validation in Display
Description	In the pp_pgc_get_config() graphics driver function, a kernel memory overwrite can potentially occur.
Technology Area	Display
Vulnerability Type	CWE-20 Improper Input Validation
Access Vector	Local
Security Rating	Medium
Date Reported	4/30/2017
Customer Notified Date	10/2/2017
Patch	https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=57377acfed328757da280f4adf1c300f0b032422 https://source.codeaurora.org/quic/la/kernel/msm-4.4/commit/?id=e9492b99156137cf533722eea6ba8846d424c800

CVE-2017-9705

CVE ID	CVE-2017-9705
Title	Double Free in Core
Description	Concurrent rx notifications and read() operations in the G-Link PKT driver can result in a double free condition due to missing locking resulting in list_del() and list_add() overlapping and corrupting the next and previous pointers.
Technology Area	Qualcomm IPC
Vulnerability Type	CWE-415 Double Free
Access Vector	Local
Security Rating	Medium
Date Reported	5/9/2017
Customer Notified Date	10/2/2017
Patch	https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=00515286cf52145f2979026b8641cfb15c8e7644

CVE-2017-14869

CVE ID	CVE-2017-14869
Title	Information Exposure in Boot
Description	While performing update of FOTA partition, uninitialized data can be pushed to storage.
Technology Area	Boot
Vulnerability Type	CWE-200 Information Exposure
Access Vector	Local
Security Rating	Medium
Date Reported	5/27/2017
Customer Notified Date	10/2/2017
Patch	https://source.codeaurora.org/quic/la/kernel/lk/commit/?id=e5d62d222504b9f4f079ea388f0724f471855fbe

CVE-2017-14870

CVE ID	CVE-2017-14870
Title	Information Exposure in Boot
Description	While updating the recovery message for eMMC devices, 1088 bytes of stack memory can potentially be leaked.
Technology Area	Boot
Vulnerability Type	CWE-200 Information Exposure
Access Vector	Local
Security Rating	Medium
Date Reported	5/27/2017
Customer Notified Date	10/2/2017
Patch	https://source.codeaurora.org/quic/la/kernel/lk/commit/?id=1ab72362bad8482392de02b425efaab76430de15

CVE-2017-11066

CVE ID	CVE-2017-11066
Title	Buffer Copy without Checking Size of Input in Boot
Description	While flashing ubi image an uninitialized memory could be accessed.
Technology Area	Boot
Vulnerability Type	CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’)
Access Vector	Local
Security Rating	High
Date Reported	4/27/2017
Customer Notified Date	9/1/2017
Patch	https://source.codeaurora.org/quic/la/kernel/lk/commit/?id=5addd693aec592118bd5c870ba547b6311a4aeca

CVE-2017-15847

CVE ID	CVE-2017-15847
Title	Time-of-check Time-of-use (TOCTOU) Race Condition in Core
Description	In the SPCom kernel driver, a race condition exists when creating a channel.
Technology Area	Trusted Execution Environment
Vulnerability Type	CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition
Access Vector	Local
Security Rating	High
Date Reported	Internal
Customer Notified Date	10/2/2017
Patch	https://source.codeaurora.org/quic/la/kernel/msm-4.4/commit/?id=6f510e5c3ffe80ad9ea4271a39a21d3b647e1f0f

CVE-2017-15845

CVE ID	CVE-2017-15845
Title	Integer Underflow in WLAN
Description	An invalid input of firmware size (negative value) from user space can potentially lead to the memory leak or buffer overflow during the WLAN cal data store operation.
Technology Area	WLAN HOST
Vulnerability Type	CWE-191 Integer Underflow (Wrap or Wraparound)
Access Vector	Local
Security Rating	Medium
Date Reported	2/28/2017
Customer Notified Date	10/2/2017
Patch	https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=d39f7f0663394e1e863090108a80946b90236112

CVE-2017-15848

CVE ID	CVE-2017-15848
Title	Buffer Copy Without Checking Size of Input (“Classic Buffer Overflow”) in Multimedia
Description	In the fastrpc kernel driver, a buffer overflow vulnerability from userspace may potentially exist.
Technology Area	DSP Service
Vulnerability Type	CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’)
Access Vector	Local
Security Rating	High
Date Reported	Internal
Customer Notified Date	10/2/2017
Patch	https://source.codeaurora.org/quic/la/kernel/msm-4.4/commit/?id=d24a74a7103cb6b773e1d8136ba51b64fa96b21d

CVE-2017-11081

CVE ID	CVE-2017-11081
Title	Buffer Copy without Checking Size of Input in WLAN
Description	There is a potential buffer overflow vulnerability in hdd_parse_setrmcenable_command and hdd_parse_setrmcactionperiod_command APIs as buffers defined in this API can hold maximum 32 bytes but data more than 32 bytes can get copied.
Technology Area	WLAN HOST
Vulnerability Type	CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’)
Access Vector	Local
Security Rating	Medium
Date Reported	7/11/2017
Customer Notified Date	10/2/2017
Patch	https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=d650d091aad2b13887b374ddc4268a457040ffc1

CVE-2017-11080

CVE ID	CVE-2017-11080
Title	Configuration Vulnerability in Boot
Description	While processing a user supplied sparse image, a buffer overflow vulnerability could occur if the sparse header block size is equal to 4294967296.
Technology Area	Boot
Vulnerability Type	CWE-16 Configuration
Access Vector	Local
Security Rating	Medium
Date Reported	7/16/2017
Customer Notified Date	10/2/2017
Patch	https://source.codeaurora.org/quic/la/kernel/lk/commit/?id=2ad74d7cd329207f7c793fde4381111f5fcd4b23

CVE-2017-11079

CVE ID	CVE-2017-11079
Title	Information Exposure in Boot
Description	While processing sparse image, uninitialized heap memory can potentially be flashed due to the lack of validation of sparse image block header size.
Technology Area	Boot
Vulnerability Type	CWE-200 Information Exposure
Access Vector	Local
Security Rating	Medium
Date Reported	7/16/2017
Customer Notified Date	10/2/2017
Patch	https://source.codeaurora.org/quic/la/kernel/lk/commit/?id=ddae8fa912fd2b207b56733f5294d33c6a956b65

Industry Coordination

Security ratings of issues included in Android security bulletins and these bulletins match in the most common scenarios but may differ in some cases due to one of the following reasons:

• Consideration of security protections such as SELinux not enforced on some platforms
• Differences in assessment of some specific scenarios that involves local denial of service or privilege escalation vulnerabilities in the high level OS kernel

Version History

Version	Date	Comments
1.0	January 25, 2018	Bulletin Published
1.1	February 8, 2018	Removed duplicate CVE